Are firms and regulators prepared for GDPR?

The answer may hinge on if you’re a glass-half-full or glass-half-empty kind of person. While we’re at it, how about regulators’ level of preparedness, anyway?

With the enforcement of the General Data Protection Regulation (GDPR) just two weeks away on May 25 , organizations in the United Kingdom are further ahead in their preparations to comply with the law’s requirements than their peers elsewhere in the European Union and in the United States, a new survey by professional IT network Spiceworks reveals.

A total of 61 percent of UK-based firms said that they are or will be fully compliant with GDPR by the deadline. For the rest of the European Union, the ratio goes down to 46 percent. Meanwhile, only one in four US-based companies that are impacted by the new legislation will be ready in time.

What’s the reason for non-compliance? That depends on whom you ask. In Europe, more than 60 percent of the respondents that will not be compliant blamed a lack of time or resources. Across the pond, the most frequent reason – for 40 percent of respondents – was simply that GDPR was not a priority for their organization.

The survey polled 625 IT professionals in organizations in the United Kingdom, the rest of the EU, and in the United States in early April.

Image credit: Spiceworks

Over to you, regulators

A not-too-dissimilar picture is actually painted when it comes to those that are supposed to oversee the implementation and enforcement of greater privacy protections.

A Reuters survey has found that 17 out of 24 national or regional watchdog authorities or data protection officers in the EU that responded to the survey are ill-prepared to fulfill their GDPR-related duties when the law takes effect.

More precisely, the regulators said that they lack the necessary funding or powers to fulfill their GDPR duties. The shortage of authority is often because national governments have yet to update their laws to incorporate the Europe-wide rules. With that in mind, most respondents said that they would investigate complaints “on merit”.

In a nutshell, GDPR is intended to give power back to EU citizens over how their personal information is processed and used, including giving them “the right to be forgotten”. This means that individuals will be able to request that businesses delete their no longer necessary or accurate personal data. In addition, the law’s serious implications include data breach notification requirements and fines for non-compliance.

Further reading

We have previously covered the topic of GDPR extensively (including in a dedicated white paper) and will continue to do so as we get closer to the May 25 deadline.